github/containerd
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity
11,029 Commits 3 Branches 4 Tags
a37c64b20ca74cd8ec471fcce13bea48eac6eb4b
Commit Graph

348 Commits

Author SHA1 Message Date
Lantao Liu
f938a166cd Fix kube-container-runtime-monitor. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:08 -07:00
Lantao Liu
91f8e61bd3 Use crictl installed in kube-up.sh 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:08 -07:00
Lantao Liu
5161f663e4 Add unix:// prefix for socket addresses used by CRI remote client. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:08 -07:00
Lantao Liu
1b995fcaf2 Add KUBE_CONTAINER_RUNTIME_NAME to fix fluentd support. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:08 -07:00
Lantao Liu
48457a254e Try using preloaded containerd if no version is specified. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:08 -07:00
Lantao Liu
c67a38b0b5 Add log level support. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:08 -07:00
Lantao Liu
4453aac005 Improve gce bootstrapping in various ways. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:08 -07:00
Lantao Liu
1bd3cdc572 Add cni config template support. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:07 -07:00
Lantao Liu
d520fac508 Enable TLS streaming in all the setup. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:07 -07:00
Lantao Liu
cdb4aec93a Use systemd service cgroup and oom score adj. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:07 -07:00
Lantao Liu
af8bd80689 Fix for kube-up.sh and update several documments. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:07 -07:00
Lantao Liu
005da4a9b9 Replace ctrcri with ctr cri. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:07 -07:00
Lantao Liu
0e2bd216ce Update GCE cluster bootstrapping and e2e test 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:07 -07:00
Lantao Liu
59e65e1f37 Enable container log rotation. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:07 -07:00
Lantao Liu
85b4e69c9f Do not block on stream server close. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:07 -07:00
Lantao Liu
2ea6584ca7 Add initial wait for health-monitor and use pkill -x. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:07 -07:00
Lantao Liu
56b7ef2c4d The ENV is finalized as KUBE_KUBELET_EXTRA_ARGS. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:06 -07:00
Mike Brown
24a3a0a068 change crictl sandboxes to pods; other references to sandboxes 
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
 2020-08-11 09:15:06 -07:00
Lantao Liu
8bc30e7a2e Update ocicni to main stream. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:06 -07:00
Lantao Liu
a010715584 Add a separate CLI for cri-containerd ctrcri. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:06 -07:00
Lantao Liu
a843a30645 Use registry-1.docker.io as backup 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:06 -07:00
Lantao Liu
ec649079a9 Put version into metadata so that version won't be changed across 
restart.

Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:06 -07:00
Lantao Liu
7cbc1c8dc3 Set registry mirror. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:06 -07:00
Lantao Liu
9f0816ac43 Configure container runtime cgroups for cgroup. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:06 -07:00
Lantao Liu
be72f47ec9 Add runtime cgroup and fix a cli panic. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:05 -07:00
Lantao Liu
680e21c430 Update all glog flags to log-level. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:05 -07:00
Lantao Liu
d50b9dd64c Update containerd to 6c7abf7c76c1973d4fb4b0bad51691de84869a51. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:05 -07:00
Lantao Liu
869ea6b0c8 Add document for kube-up.sh 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:05 -07:00
Lantao Liu
30cbfb62ec Add OS and arch in release tarball. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:05 -07:00
Lantao Liu
0512d1e0b2 Add cluster directory and health-monitor.sh. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2020-08-11 09:15:05 -07:00
Sebastiaan van Stijn
55c9eade39 Bump Golang 1.13.15 
full diff: https://github.com/golang/go/compare/go1.13.14...go1.13.15

go1.13.15 (released 2020/08/06) includes security fixes to the encoding/binary
package. See the Go 1.13.15 milestone on the issue tracker for details.

https://github.com/golang/go/issues?q=milestone%3AGo1.13.15+label%3ACherryPickApproved

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2020-08-08 15:07:28 +02:00
Sebastiaan van Stijn
089672fff4 Bump Golang 1.13.14 
full diff: https://github.com/golang/go/compare/go1.13.13...go1.13.14

go1.13.14 (released 2020/07/16) includes fixes to the compiler, vet, and the
database/sql, net/http, and reflect packages. See the Go 1.13.14 milestone on
the issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.13.14+label%3ACherryPickApproved

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2020-07-17 15:37:52 +02:00
Akihiro Suda
c520f819a2 Bump Go 1.13.13 
Includes security fixes to the `crypto/x509` and `net/http` packages.

https://github.com/golang/go/issues?q=milestone%3AGo1.13.13+label%3ACherryPickApproved

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2020-07-15 14:24:48 +09:00
Florian Schmaus
e977564a8b seccomp: allow 'rseq' syscall in default seccomp profile 
Restartable Sequences (rseq) are a kernel-based mechanism for fast
update operations on per-core data in user-space. Some libraries, like
the newest version of Google's TCMalloc, depend on it [1].

This also makes dockers default seccomp profile on par with systemd's,
which enabled 'rseq' in early 2019 [2].

1: https://google.github.io/tcmalloc/design.html
2: systemd/systemd@6fee3be

Signed-off-by: Florian Schmaus <flo@geekplace.eu>
 2020-06-26 17:10:05 +02:00
Wei Fu
e89500bcb0 Merge pull request #4333 from AkihiroSuda/golang-1.13.12 
Bump Golang 1.13.12
 2020-06-23 08:54:05 +08:00
Davanum Srinivas
2b0a994ccc explicitly fail apparmor when !linux 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2020-06-22 12:54:09 -04:00
Akihiro Suda
1a83f9a638 Bump Golang 1.13.12 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2020-06-22 16:49:31 +09:00
Michael Crosby
0f831093ce Update usage of whitelist in project 
Signed-off-by: Michael Crosby <michael@thepasture.io>
 2020-06-08 12:49:22 -05:00
Kenta Tada
03755821d2 seccomp: remove the unused query_module(2) 
query_module(2) is only in kernels before Linux 2.6.

Signed-off-by: Kenta Tada <Kenta.Tada@sony.com>
 2020-05-19 10:36:55 +09:00
Phil Estes
d7c4bda3b1 Merge pull request #4264 from thaJeztah/seccomp_allow_clock_adjtime 
seccomp: Whitelist `clock_adjtime`
 2020-05-18 09:36:08 -04:00
Stanislav Levin
5765991f2c seccomp: Whitelist clock_adjtime 
This only allows making the syscall. CAP_SYS_TIME is still required
for time adjustment (enforced by the kernel):

```
kernel/time/posix-timers.c:

1112 SYSCALL_DEFINE2(clock_adjtime, const clockid_t, which_clock,
1113                 struct __kernel_timex __user *, utx)
...
1121         err = do_clock_adjtime(which_clock, &ktx);

1100 int do_clock_adjtime(const clockid_t which_clock, struct __kernel_timex * ktx)
1101 {
...
1109         return kc->clock_adj(which_clock, ktx);

1299 static const struct k_clock clock_realtime = {
...
1304         .clock_adj              = posix_clock_realtime_adj,

188 static int posix_clock_realtime_adj(const clockid_t which_clock,
189                                     struct __kernel_timex *t)
190 {
191         return do_adjtimex(t);

kernel/time/timekeeping.c:

2312 int do_adjtimex(struct __kernel_timex *txc)
2313 {
...
2321         /* Validate the data before disabling interrupts */
2322         ret = timekeeping_validate_timex(txc);

2246 static int timekeeping_validate_timex(const struct __kernel_timex *txc)
2247 {
2248         if (txc->modes & ADJ_ADJTIME) {
...
2252                 if (!(txc->modes & ADJ_OFFSET_READONLY) &&
2253                     !capable(CAP_SYS_TIME))
2254                         return -EPERM;
2255         } else {
2256                 /* In order to modify anything, you gotta be super-user! */
2257                 if (txc->modes && !capable(CAP_SYS_TIME))
2258                         return -EPERM;

```

Fixes: moby/moby 40919
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2020-05-17 23:11:04 +02:00
Sebastiaan van Stijn
d07a71b97f Bump Golang 1.13.11 
full diff: https://github.com/golang/go/compare/go1.13.10...go1.13.11

go1.13.11 (released 2020/05/14) includes fixes to the compiler. See the Go 1.13.11
milestone on the issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.13.11+label%3ACherryPickApproved

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2020-05-16 14:57:04 +02:00
Antonio Ojea
11a78d9d0f don't use socat for port forwarding 
use goroutines to copy the data from the stream to the TCP
connection, and viceversa, removing the socat dependency.

Quoting Lantao Liu, the logic is as follow:

When one side (either pod side or user side) of portforward
is closed, we should stop port forwarding.

When one side is closed, the io.Copy use that side as source will close,
but the io.Copy use that side as dest won't.

Signed-off-by: Antonio Ojea <antonio.ojea.garcia@gmail.com>
 2020-05-09 00:54:30 +02:00
Sebastiaan van Stijn
7da1e13b5d Bump Golang 1.13.10 
go1.13.10 (released 2020/04/08) includes fixes to the go command, the runtime,
os/exec, and time packages. See the Go 1.13.10 milestone on the issue tracker
for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.13.10+label%3ACherryPickApproved

full diff: https://github.com/golang/go/compare/go1.13.9...go1.13.10

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2020-04-09 22:03:48 +02:00
Sebastiaan van Stijn
aa76d95375 Bump Golang 1.13.9 
go1.13.9 (released 2020/03/19) includes fixes to the go command, tools, the
runtime, the toolchain, and the crypto/cypher package. See the Go 1.13.9
milestone on the issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.13.9+label%3ACherryPickApproved

full diff: https://github.com/golang/go/compare/go1.13.8...go1.13.9

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2020-04-03 19:55:37 +02:00
Sebastiaan van Stijn
9529c69b8a seccomp: add 64-bit time_t syscalls 
Relates to https://patchwork.kernel.org/patch/10756415/

Added to whitelist:

- `clock_getres_time64` (equivalent of `clock_getres`, which was whitelisted)
- `clock_gettime64` (equivalent of `clock_gettime`, which was whitelisted)
- `clock_nanosleep_time64` (equivalent of `clock_nanosleep`, which was whitelisted)
- `futex_time64` (equivalent of `futex`, which was whitelisted)
- `io_pgetevents_time64` (equivalent of `io_pgetevents`, which was whitelisted)
- `mq_timedreceive_time64` (equivalent of `mq_timedreceive`, which was whitelisted)
- `mq_timedsend_time64 ` (equivalent of `mq_timedsend`, which was whitelisted)
- `ppoll_time64` (equivalent of `ppoll`, which was whitelisted)
- `pselect6_time64` (equivalent of `pselect6`, which was whitelisted)
- `recvmmsg_time64` (equivalent of `recvmmsg`, which was whitelisted)
- `rt_sigtimedwait_time64` (equivalent of `rt_sigtimedwait`, which was whitelisted)
- `sched_rr_get_interval_time64` (equivalent of `sched_rr_get_interval`, which was whitelisted)
- `semtimedop_time64` (equivalent of `semtimedop`, which was whitelisted)
- `timer_gettime64` (equivalent of `timer_gettime`, which was whitelisted)
- `timer_settime64` (equivalent of `timer_settime`, which was whitelisted)
- `timerfd_gettime64` (equivalent of `timerfd_gettime`, which was whitelisted)
- `timerfd_settime64` (equivalent of `timerfd_settime`, which was whitelisted)
- `utimensat_time64` (equivalent of `utimensat`, which was whitelisted)

Not added to whitelist:

- `clock_adjtime64` (equivalent of `clock_adjtime`, which was not whitelisted)
- `clock_settime64` (equivalent of `clock_settime`, which was not whitelisted)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2020-03-25 14:07:38 +01:00
George Goh
c44ad801f9 Fixed merge conflicts. 2020-03-16 20:56:08 +08:00
Sebastiaan van Stijn
499ab8a99a Update Golang 1.13.8 
full diff: https://github.com/golang/go/compare/go1.13.7...go1.13.8

go1.13.8 (released 2020/02/12) includes fixes to the runtime, the crypto/x509,
and net/http packages. See the Go 1.13.8 milestone on the issue tracker for details.

https://github.com/golang/go/issues?q=milestone%3AGo1.13.8+label%3ACherryPickApproved

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2020-02-17 17:18:25 +01:00
Mike Brown
c9ed98462d move to v3.2 for the pause image 
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
 2020-02-14 12:55:52 -06:00
Shengjing Zhu
348e683ceb Fix zsh autocomplete script 
Fix completion when argument startswith `-`
Merged in upstream https://github.com/urfave/cli/pull/1062

Signed-off-by: Shengjing Zhu <zhsj@debian.org>
 2020-02-11 19:56:27 +08:00